Cyber attackers are increasingly training their sights on mobile applications as the apps market continues to record substantial growth in both consumer uptake and spending, a new report shows.
Dubbed ‘Application Security in a Multi-Cloud World 2023’, the report commissioned by cybersecurity solutions firm Radware shows that 22.8 percent of organisations that responded to the survey experienced application attacks every single day of last year, which was an over five-fold increase from the four percent recorded in 2022.
The number corresponded with those who recorded weekly incidents, while the group that recorded an attack on a monthly basis made up 26.2 percent of the respondents.
Those who reported experiencing application attacks on a quarterly and yearly basis translated to 18.3 percent and 8.9 percent of the survey participants respectively, with only one percent stating that they have never experienced an incident.
Application attacks were part of four types of cyber assaults that recorded the most magnified frequencies during the year under review, with others including bot, API (Application Programming Interface) and DDoS (denial of service) attacks, propelling the average of respondents experiencing attacks on a daily and weekly basis to 42 percent up from an average of 29 percent in 2022.
A bot attack is a type of cyberattack that uses automated scripts to disrupt a site, steal data, make fraudulent purchases or undertake other malicious actions while API attacks refer to any hostile or attempted hostile exploitation of vulnerabilities in API endpoints to gain unauthorised access, compromise data or disrupt activities.
An API refers to a channel through which two or more computer program components communicate with each other. DDos, on the other hand, is a form of cyber-attack that aims at flooding a server with internet traffic to prevent users from accessing connected online services and sites, with the end effect being the disruption of the network thus rendering it inaccessible to its normal users.
According to the Radware report, bot attacks emerged as the most frequently seen type of crime on the daily, weekly and monthly cadence, with 82 percent of respondents reporting occurrences, followed by API attacks which saw 68 percent of survey participants confirm incidents, up from 55 percent in 2022.
“Another noticeable rise was in DDoS attacks, which saw 60 percent of respondents being attacked monthly or more frequently, compared to 53 percent last year,” states the report, indicating that only 19.8 percent reported having never encountered DDoS attacks.
As a measure to ring-fence safety, the report notes that during the year, over 87 percent of the respondents increased the usage of internally-developed APIs with almost half (44.1 percent) reporting the two highest levels of increase. Meanwhile, none of the organisations saw the usage of APIs decline over the 12-month period.
However, three out of four respondents expressed that they were not confident in how internally developed APIs are protected against security threats that lead to unauthorised data access, exposure of application logic and data breaches.
“Ongoing dependence on modern application development strategies and methodologies – with an emphasis on micro-services and cross-application integration – makes continual and increasing reliance on APIs an almost foregone conclusion,” wrote Radware in the report.
“Organisations that maintain up-to-date documentation on their APIs are somewhat more likely to be confident in current protections because the discipline of maintaining documentation increases the likelihood of understanding the internals of their APIs and thus any unresolved weaknesses.
According to the survey, 42 percent of organisations expect APIs to be inextricably linked to a business success within the next one year, up from just two percent a year ago.
On application DDoS attacks, respondents raised two key concerns that are brought about when incidents occur, including the capacity to deploy the right level of protection to stop the attacks from compromising web applications and having a web application taken offline due to such an attack.
67.8 percent of organisations were found to express concern that attempts to deploy protection from attacks would lead to legitimate traffic being incorrectly blocked from reaching their website while 46 percent were troubled about DDoS attacks rendering the organisation’s website, or a critical business application, unavailable.
Almost all respondents were aware of the cost of downtime to their organisation due to an application DDoS attack, with the two highest bands hitting $1,000 (Sh162,430) to $4,999 (Sh811,987) per minute according to 29.7 percent of respondents, and $5,000 (Sh812,150) to $9,999 (Sh1.6 million) per minute according to 19.3 percent of respondents.
The overall average cost across all organisations was $6,130 (Sh995,695) per minute or $367,797 (Sh59.7 million) per hour.
The survey involved 202 respondents working in security roles within organisations that had at least 1,000 employees, with Radware indicating that the research cut across multiple industries.
